Add external report destination verification via _report._dmarc DNS lookup (openSUSE z03)#392
Merged
thegushi merged 1 commit intoMay 29, 2026
Conversation
thegushi
changed the title
Implements RFC 9990 §4 / RFC 9991 §5 external report destination verification in opendmarc-reports, closing the gap identified in issue trusteddomainproject#371 (the existing verification in libopendmarc covers only the milter path, not the reporting script). Key changes: - For each cross-domain RUA mailto: address, query <from-domain>._report._dmarc.<dest-domain> for a TXT record starting with 'v=DMARC1'. Falls back to the wildcard (*._report._dmarc.<dest>) on NXDOMAIN. Fails open on SERVFAIL or timeout (conservative: don't drop reports due to transient DNS failures). Same-org addresses are accepted without a DNS query. - Org-domain comparison uses a built-in PSL reader (load_psl / get_org_domain) that reads the same public_suffix_list.dat file the milter uses, with a two-label fallback when no PSL is configured. Replaces the Domain::PublicSuffix CPAN dependency in the submitted patch -- PSL consumption is string parsing, not a library problem. - Size-limit suffix (!NNNk/m/g/t) parsed from RUA URIs (check_size_restriction). Addresses that exceed their declared size limit receive a delivery-failure notice instead of the full report. - http/https URIs bypass destination verification (external auth applies only to mailto:) and are handled inline. - parse_rua_uri() consolidates URI parsing and scheme validation. - More unique MIME boundary (hostfqdn()/time() vs static 'report_section'). Written by Juri Haberland for openSUSE (z03_reportDestVerificationV2.patch), submitted by Dirk Stoecker. Substantially reworked for current develop: conflict resolution, Domain::PublicSuffix replaced with built-in PSL reader, Switch module removed, dead code eliminated, date format fixed. Co-authored-by: Juri Haberland <juri@koschikode.com> Co-authored-by: Dirk Stöcker <github@dstoecker.de>
thegushi
force-pushed
the
z03_reportDestVerificationV2.patch
branch
from
e2dd611 to
2120b22
Compare
thegushi
added a commit
to thegushi/OpenDMARC
that referenced
this pull request
May 29, 2026
thegushi
added a commit
that referenced
this pull request
May 29, 2026
thegushi
added a commit
that referenced
this pull request
May 30, 2026
…ent (#393) * docs: update CHANGES with attribution for merged and closed PRs - Add attribution to policy_published.domain fix (#270): independently patched by Eneas U. de Queiroz for openSUSE, submitted by Dirk Stöcker - Add attribution to opendmarc_tld_read_file memory leak fix (#347): independently patched by Juri Haberland for openSUSE, submitted by Dirk Stöcker - Add attribution to domain case normalization fix (#351): independently patched by Dirk Stöcker for openSUSE - Document failure report Subject line fix (#391): written by Juri Haberland, submitted by Dirk Stöcker - Document failure report hostname in body (#389): written by Juri Haberland, submitted by Dirk Stöcker - Document IgnoreAuthenticatedClients logging (#387): written by Juri Haberland, submitted by Dirk Stöcker - Document --skipdomains option (#383): written by Dirk Stöcker Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * docs: add CHANGES entry for PR #388 (RFC 2822 date format in report body) * docs: add CHANGES entries for PRs #390 (UTC timezone, migration script) * docs: add CHANGES entry for PR #380 (Content-Description MIME headers) * ci: add libnet-dns-perl; docs: add CHANGES entry for PR #392 * reports: rewrite opendmarc-importstats as a Perl script Converts the 25-line shell script to a proper Perl .in template, consistent with every other script in reports/. - Reads HistoryFile from opendmarc.conf using a real parser (no grep/sed), so users who configure a non-default path get correct behaviour automatically - --history-file=path overrides the config for command-line flexibility - --conf=file selects an alternate opendmarc.conf - Falls back to /var/run/opendmarc.dat when HistoryFile is not set - Uses open(pipe) instead of shell redirection to avoid injection risk - --verbose and --version consistent with other reporting tools Closes #358. * docs: add CHANGES entry for importstats rewrite; ci: add to syntax check * feat: add IgnoreMailTo option to suppress history recording by recipient Adds a comma-separated IgnoreMailTo config option analogous to IgnoreMailFrom. Messages addressed to any listed address are not written to the history file and generate no aggregate reports. The primary use case is loop prevention: a domain whose rua=/ruf= address also receives mail through the filter can suppress report traffic from being treated as reportable. Original patch by Dirk Stöcker (openSUSE ticket208 / PR #381).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
reportDestVerificationV2.patch
written by Juri Haberland
status: recommended - enhancement
This patch is not yet linked to an OpenDMARC ticket, as I want to receive some feedback from others. It adds external report destination verification and report address replacement. It also reorganizes the way the reports are sent. In addition it sends an error report if all report addresses are unusable due to size limitations. See #159